当前位置：首页 > news >正文

ASP.NET Core 中JWT的基本使用

news 2025/5/29 10:00:17

文章目录

前言
一、JWT与RBAC
二、JWT 的作用
三、RBAC 的核心思想
四、使用
- 1、配置文件 (appsettings.json)
- 2、JWT配置模型 (Entity/JwtSettings.cs)
- 3、服务扩展类，JWT配置 (Extensions/ServiceExtensions.cs)
- 4、用户仓库接口服务
- 5、认证服务 (Interface/IAuthService.cs、Repository/AuthService.cs)
- 6、控制器（验证登录权限，生成Token）
- 7、注册服务
- 8、使用示例
- 9、高级权限控制
- - 1）实现自定义策略处理器：
  - 2）注册服务及定义策略
  - 3）使用自定义策略
五、关键安全配置
六、完整流程说明
总结

前言

在ASP.NET Core Web API中实现基于JWT的RBAC（基于角色的访问控制）。

一、JWT与RBAC

JWT（JSON Web Token）与 RBAC（基于角色的访问控制，Role-Based Access Access Control）结合使用时，是一种通过令牌（Token）传递用户角色信息，并基于角色实现权限管理的安全机制。

二、JWT 的作用

JWT 是一种紧凑的、自包含的令牌格式，通常用于身份验证和授权。其结构分为三部分：
- Header：算法和令牌类型（如 HS256 或 RSA）。
- Payload：存放用户信息（如用户ID、角色）和声明（如过期时间）。
- Signature：对前两部分的签名，确保令牌未被篡改。

三、RBAC 的核心思想

RBAC 通过角色管理权限，而非直接赋予用户权限：
- 角色（Role）：定义一组权限（如 admin、user）。
- 权限（Permission）：资源或操作（如 read:data、delete:user）。
- 用户被分配角色，间接获得权限。

四、使用

1、配置文件 (appsettings.json)

appsettings.json

{"JwtSettings": {"Issuer": "yourdomain.com","Audience": "yourapp","SecretKey": "YourSuperSecretKeyAtLeast32CharactersLong","ExpirationMinutes": 60,"RefreshTokenExpirationDays": 7}"AllowedHosts": "*"
}

2、JWT配置模型 (Entity/JwtSettings.cs)

JwtSettings.cs

namespace JWTWebAPI.Entity
{public class JwtSettings{public string Issuer { get; set; } = string.Empty;public string Audience { get; set; } = string.Empty;public string SecretKey { get; set; } = string.Empty;public int ExpirationMinutes { get; set; }public int RefreshTokenExpirationDays { get; set; }}
}

3、服务扩展类，JWT配置 (Extensions/ServiceExtensions.cs)

ServiceExtensions.cs

using JWTWebAPI.Entity;
using Microsoft.AspNetCore.Authentication.JwtBearer;
using Microsoft.IdentityModel.Tokens;
using System.Security.Claims;
using System.Text;namespace JWTWebAPI.Extensions
{public static class ServiceExtensions{// JWT认证配置public static void ConfigureJwtAuthentication(this IServiceCollection services, IConfiguration configuration){var jwtSettings = configuration.GetSection("JwtSettings").Get<JwtSettings>();services.AddAuthentication(options =>{options.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;options.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;}).AddJwtBearer(options =>{options.TokenValidationParameters = new TokenValidationParameters{ValidateIssuer = false,ValidIssuer = jwtSettings.Issuer,ValidateAudience = false,ValidAudience = jwtSettings.Audience,ValidateLifetime = false,ValidateIssuerSigningKey = false,IssuerSigningKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(jwtSettings.SecretKey!)), //ClockSkew = TimeSpan.Zero,RoleClaimType=ClaimTypes.Role};options.Events = new JwtBearerEvents{OnAuthenticationFailed = context =>{if (context.Exception.GetType() == typeof(SecurityTokenExpiredException)){context.Response.Headers.Append("Token-Expired", "true");}return Task.CompletedTask;}};});}// 授权策略配置public static void ConfigureAuthorizationPolicies(this IServiceCollection services){services.AddAuthorization(options =>{// 基于角色的策略options.AddPolicy("AdminOnly", policy =>policy.RequireRole("admin"));options.AddPolicy("ManagerOnly", policy =>policy.RequireRole("admin"));// 基于自定义权限的策略options.AddPolicy("ContentEditor", policy =>policy.RequireClaim("permission", "content.edit"));options.AddPolicy("UserManagement", policy =>policy.RequireClaim("permission", "user.manage"));});}} 
}

4、用户仓库接口服务

Interfaces/IUserRepository.cs

using JWTWebAPI.Entity;namespace JWTWebAPI.Interface
{public interface IUserRepository{Task<AspNetUsers?> GetUserByCredentials(string username, string password);Task SaveRefreshToken(long userId, string refreshToken, DateTime expiry);Task<AspNetUsers?> GetUserByRefreshToken(string refreshToken);}
}

Repositories/UserRepository.cs

using JWTWebAPI.Data;
using JWTWebAPI.Entity;
using JWTWebAPI.Interface;
using Microsoft.AspNetCore.Identity;
using Microsoft.EntityFrameworkCore;
using Org.BouncyCastle.Crypto.Generators;namespace JWTWebAPI.Repository
{public class UserRepositor : IUserRepository{private readonly MyDbContext _context;private readonly UserManager<AspNetUsers> _userManager;public UserRepositor(MyDbContext context, UserManager<AspNetUsers> userManager, RoleManager<Role> roleManager){_context = context;_userManager = userManager;}public async Task<AspNetUsers?> GetUserByCredentials(string username, string password){try{var user=await _userManager.FindByNameAsync(username);if (user == null) return null;return user;}catch (Exception){throw;}}public async Task<AspNetUsers?> GetUserByRefreshToken(string refreshToken){return await _context.Users.FirstOrDefaultAsync(u =>u.RefreshToken == refreshToken &&u.RefreshTokenExpiry > DateTime.UtcNow);}public async Task SaveRefreshToken(long userId, string refreshToken, DateTime expiry){var user = await _context.Users.FindAsync(userId);if (user != null){user.RefreshToken = refreshToken;user.RefreshTokenExpiry = expiry;await _context.SaveChangesAsync();}}}
}

5、认证服务 (Interface/IAuthService.cs、Repository/AuthService.cs)

IAuthService.cs

using JWTWebAPI.Entity;namespace JWTWebAPI.Interface
{public interface IAuthService{Task<AuthResult> Authenticate(string username, string password);Task<AuthResult> RefreshToken(string token, string refreshToken);}
}

AuthService.cs

using JWTWebAPI.Entity;
using JWTWebAPI.Interface;
using Microsoft.Extensions.Options;
using Microsoft.IdentityModel.Tokens;
using System.IdentityModel.Tokens.Jwt;
using System.Security.Claims;
using System.Security.Cryptography;
using System.Text;namespace JWTWebAPI.Repository
{public class AuthService : IAuthService{private readonly JwtSettings _jwtSettings;private readonly IUserRepository _userRepository;public AuthService(IOptions<JwtSettings> jwtSettings, IUserRepository userRepository){_jwtSettings = jwtSettings.Value;_userRepository = userRepository;}public async Task<AuthResult> Authenticate(string username, string password){var user = await _userRepository.GetUserByCredentials(username, password);if (user == null) return null;var claims = new[]{new Claim(ClaimTypes.NameIdentifier, user.Id.ToString()),new Claim(ClaimTypes.Name, user.UserName),new Claim(ClaimTypes.Role, user.Role) // 用户角色	                };var token = GenerateJwtToken(claims);var refreshToken = GenerateRefreshToken();await _userRepository.SaveRefreshToken(user.Id, refreshToken,DateTime.UtcNow.AddDays(_jwtSettings.RefreshTokenExpirationDays));return new AuthResult{Token = token,RefreshToken = refreshToken,ExpiresIn = _jwtSettings.ExpirationMinutes * 60};}public Task<AuthResult> RefreshToken(string token, string refreshToken){throw new NotImplementedException();}private string GenerateJwtToken(IEnumerable<Claim> claims){var key = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(_jwtSettings.SecretKey));var creds = new SigningCredentials(key, SecurityAlgorithms.HmacSha256);var token = new JwtSecurityToken(issuer: _jwtSettings.Issuer,audience: _jwtSettings.Audience,claims: claims,expires: DateTime.UtcNow.AddMinutes(_jwtSettings.ExpirationMinutes),signingCredentials: creds);return new JwtSecurityTokenHandler().WriteToken(token);}private static string GenerateRefreshToken(){var randomNumber = new byte[32];using var rng = RandomNumberGenerator.Create();rng.GetBytes(randomNumber);return Convert.ToBase64String(randomNumber);}}
}

AuthResult.cs

namespace JWTWebAPI.Entity
{public class AuthResult{public string Token { get; set; }public string RefreshToken { get; set; }public int ExpiresIn { get; set; }}
}

6、控制器（验证登录权限，生成Token）

AuthController.cs

using JWTWebAPI.Entity;
using JWTWebAPI.Interface;
using Microsoft.AspNetCore.Authorization;
using Microsoft.AspNetCore.Http;
using Microsoft.AspNetCore.Identity.Data;
using Microsoft.AspNetCore.Mvc;
using Microsoft.Extensions.Options;
using Microsoft.IdentityModel.Tokens;
using System.IdentityModel.Tokens.Jwt;
using System.Runtime;
using System.Security.Claims;
using System.Text;namespace JWTWebAPI.Controllers
{[Route("api/[controller]/[action]")][ApiController]public class AuthController : ControllerBase{private readonly IConfiguration _config;private readonly IOptionsSnapshot<JwtSettings> _settings;private readonly IAuthService _authService;public AuthController(IConfiguration config, IOptionsSnapshot<JwtSettings> settings, IAuthService authService){_config = config;_settings = settings;_authService = authService;}[HttpPost][AllowAnonymous]public async Task<IActionResult> Login([FromBody] LoginModel request){var result = await _authService.Authenticate(request.Username, request.Password);if (result == null) return Unauthorized();return Ok(result);}[HttpPost][AllowAnonymous]public async Task<IActionResult> Refresh([FromBody] RefreshTokenRequest request){var result = await _authService.RefreshToken(request.Token, request.RefreshToken);if (result == null) return Unauthorized();return Ok(result);}}
}

LoginModel.cs

namespace JWTWebAPI.Entity
{public class LoginModel{public string Username { get; set; } = string.Empty;public string Password { get; set; } = string.Empty;}
}

RefreshTokenRequest.cs

public class RefreshTokenRequest
{[Required] public string Token { get; set; }[Required] public string RefreshToken { get; set; }
}

7、注册服务

Program.cs

using JWTWebAPI.Data;
using JWTWebAPI.Entity;
using JWTWebAPI.Extensions;
using JWTWebAPI.Interface;
using JWTWebAPI.Repository;
using Microsoft.AspNetCore.Identity;
using Microsoft.EntityFrameworkCore;var builder = WebApplication.CreateBuilder(args);
// 添加数据库上下文
var connectionString = builder.Configuration.GetConnectionString("DefaultConnection");
builder.Services.AddDbContext<MyDbContext>(opt => {opt.UseSqlServer(connectionString);
});
builder.Services.AddDataProtection();
builder.Services.AddIdentityCore<AspNetUsers>(opt => {
opt.Lockout.MaxFailedAccessAttempts = 5;//登录失败多少次账号被锁定
opt.Lockout.DefaultLockoutTimeSpan = TimeSpan.FromMinutes(1);//锁定多长时间
opt.Password.RequireDigit = false;//密码是否需要数字    
opt.Password.RequireLowercase = false;//密码是否需要小写字符
opt.Password.RequireUppercase = false;//密码是否需要大写字符
opt.Password.RequireNonAlphanumeric = false;//密码是否需要非字母数字的字符
opt.Password.RequiredLength = 6;//密码长度opt.Tokens.PasswordResetTokenProvider = TokenOptions.DefaultEmailProvider;//密码重置令牌，使用默认的邮箱令牌提供程序来生成和验证令牌。此提供程序通常与用户邮箱关联，生成的令牌会通过邮件发送给用户,保证用户通过邮件接收密码重置链接。
opt.Tokens.EmailConfirmationTokenProvider = TokenOptions.DefaultEmailProvider;//配置邮箱确认令牌（Email Confirmation Token）的生成和验证所使用的提供程序（Provider）
});
var idBuilder = new IdentityBuilder(typeof(AspNetUsers), typeof(Role), builder.Services);idBuilder.AddEntityFrameworkStores<MyDbContext>()
.AddDefaultTokenProviders().AddUserManager<UserManager<AspNetUsers>>()
.AddRoleManager<RoleManager<Role>>();builder.Services.Configure<JwtSettings>(builder.Configuration.GetSection("JwtSettings"));
// 添加JWT认证
// 3. 认证服务配置（来自ServiceExtensions）
builder.Services.ConfigureJwtAuthentication(builder.Configuration);  // 扩展方法ServiceExtensions.cs
// 4. 授权策略配置（来自ServiceExtensions）
builder.Services.ConfigureAuthorizationPolicies();  // 扩展方法ServiceExtensions.cs// 5. 注册应用服务
builder.Services.AddScoped<IUserRepository, UserRepositor>();
builder.Services.AddScoped<IAuthService, AuthService>();builder.Services.AddControllers();
// Learn more about configuring Swagger/OpenAPI at https://aka.ms/aspnetcore/swashbuckle
builder.Services.AddEndpointsApiExplorer();
builder.Services.AddSwaggerGen();
//跨域
builder.Services.AddCors(options =>
{options.AddPolicy("AllowAll", builder =>builder.AllowAnyOrigin().AllowAnyMethod().AllowAnyHeader());
});var app = builder.Build();// Configure the HTTP request pipeline.
if (app.Environment.IsDevelopment())
{app.UseSwagger();app.UseSwaggerUI();
}app.UseHttpsRedirection();
app.UseAuthentication();
app.UseAuthorization();
app.UseCors("AllowAll");
app.MapControllers();app.Run();

8、使用示例

AdminController.cs
在需要权限的Controller上添加特性：

using JWTWebAPI.Entity;
using Microsoft.AspNetCore.Authorization;
using Microsoft.AspNetCore.Http;
using Microsoft.AspNetCore.Mvc;namespace JWTWebAPI.Controllers
{[Route("api/[controller]/[action]")][ApiController]public class AdminController : ControllerBase{[HttpGet][Authorize(Roles = "admin")] // 仅Admin角色可访问public IActionResult GetAdminData(){return Ok("Admin data");}[HttpGet][Authorize(Policy = "AdminOnly")] // 使用策略public IActionResult GetUserInfo(){return Ok("User info");}}
}

9、高级权限控制

1）实现自定义策略处理器：

PermissionHandler.cs

using JWTWebAPI.Entity;
using Microsoft.AspNetCore.Authorization;namespace JWTWebAPI.Extensions
{public class PermissionHandler : AuthorizationHandler<PermissionRequirement>{protected override Task HandleRequirementAsync(AuthorizationHandlerContext context, PermissionRequirement requirement){var permissions = context.User.FindFirst(c => c.Type == "permissions")?.Value.Split(',');if (permissions?.Any(p => p == requirement.Permission) == true){context.Succeed(requirement);}return Task.CompletedTask;}}
}

PermissionRequirement.cs

using Microsoft.AspNetCore.Authorization;namespace JWTWebAPI.Entity
{public class PermissionRequirement: IAuthorizationRequirement{public string Permission { get; set; }public PermissionRequirement(string permission){Permission = permission;}}
}

2）注册服务及定义策略

Program.cs

//注册
builder.Services.AddSingleton<IAuthorizationHandler, PermissionHandler>();
//定义策略（可放在扩展方法中：ServiceExtensions.cs中的ConfigureAuthorizationPolicies方法中）
builder.Services.AddAuthorization(options =>
{options.AddPolicy("UpdateValidate", policy =>policy.Requirements.Add(new PermissionRequirement("profile.update")));
});

3）使用自定义策略

AdminController.cs

using JWTWebAPI.Entity;
using Microsoft.AspNetCore.Authorization;
using Microsoft.AspNetCore.Http;
using Microsoft.AspNetCore.Mvc;namespace JWTWebAPI.Controllers
{[Route("api/[controller]/[action]")][ApiController]public class AdminController : ControllerBase{[HttpGet][Authorize(Policy = "UpdateValidate")]public IActionResult GetMessage(){return Ok("自定义验证");}}
}

五、关键安全配置

密钥安全：
- 生产环境不要将密钥放在appsettings.json中
- 使用Azure Key Vault或环境变量存储密钥
```
builder.Configuration.AddEnvironmentVariables();
```
HTTPS重定向：
```
app.UseHttpsRedirection();
```

CORS配置：

services.AddCors(options =>
{options.AddPolicy("ApiPolicy", builder =>{builder.WithOrigins("https://your-frontend.com").AllowAnyHeader().AllowAnyMethod().AllowCredentials();});
});